Both the FCA and the PRA have written to firms to warn about certain risks associated with exposures to crypto-assets, and to advise firms of the measures they should consider implementing to mitigate such risks.

The FCA and the PRA have each written a “Dear CEO” letter to firms, to warn about the risks associated with exposure to crypto-assets. The letters reflect each regulator’s concerns, according to their regulatory remit, and provide examples of practical measures that firms should be putting in place.

These letters come at a time when both the use and regulatory scrutiny of crypto-assets is increasing, with the FCA recently revealing in a response to a Freedom of Information Act request that it is currently investigating 24 crypto firms.

Financial Crime Risks

The letter from the FCA focuses on conduct-related risk — namely, the financial crime risks relating to crypto-assets that banks may face.

The FCA stresses that banks should take reasonable and proportionate measures to lessen the risk of facilitating financial crime through their exposures to crypto-assets (which, by their nature, lend themselves to anonymity). The FCA suggests that if a bank offers services to clients who derive significant business activities or revenues from crypto-related activities, enhancing scrutiny of these clients and their activities may be necessary.

The FCA suggests that banks might consider measures such as:

Developing staff knowledge and expertise on crypto-assets, to help them identify the clients or activities that pose a high risk of financial crime

Ensuring that existing financial crime frameworks adequately reflect the crypto-related activities that the firm is involved in, and that these frameworks are capable of keeping pace with fast-moving developments

Engaging with clients to understand the nature of their businesses and the risks they pose

Carrying out due diligence on key individuals in the client business, including consideration of any adverse intelligence

Assessing the adequacy of clients’ own due diligence arrangements, if clients are offering forms of crypto-exchange services

If clients are involved in initial coin offerings (ICOs), considering the issuance’s investor base, organisers, the functionality of tokens (including intended use), and the jurisdiction

Banks are also expected to carry out proper source of wealth checks on customers whose wealth or funds derive from the sale of crypto-assets, or other crypto-related activities. The FCA stresses that although the evidence trail may be weaker in relation to crypto-assets than for other sources of funds, this does not justify applying a different evidential test.

Prudential Risks

The letter from the PRA is addressed to banks, insurers, and PRA-regulated investment firms, and focuses on prudential and financial stability risks.

While acknowledging the potential benefits crypto may have for the financial system over time, the PRA reminds firms of their responsibilities under PRA rules.

In particular, the PRA sets out the following examples of measures it considers appropriate for firms to implement in relation to crypto-assets:

Firms must recognise that crypto-assets represent a new, evolving asset class, with risks that should be considered fully by the board and the highest levels of executive management. In particular, an approved Senior Manager should be involved actively in reviewing and signing off on the risk assessment framework for any planned direct exposure to crypto-assets and/or entities heavily exposed to crypto-assets.

Firms should ensure that their management approaches are commensurate to the risks of crypto-assets. Understanding the risks of such complex assets will require access to appropriate expertise. Firms are expected to undertake extensive due diligence before taking on any crypto-exposures, and must maintain appropriate safeguards against all the related risks (including financial, operational, and reputational risks).

Firms should inform their usual supervisory contact of any planned crypto-asset exposure or activity on an ad hoc basis, together with an assessment of the risks associated with the intended exposure. Firms should also inform their usual supervisory contacts of the Senior Manager responsible for approving the exposure.

Firms’ remuneration policies and practices should ensure that the incentives provided for engaging in crypto-related activities do not encourage excessive risk-taking.

The letter also explains how the PRA would expect firms to take into account risks relating to crypto-exposures in their Internal Capital Adequacy Assessment Process or Own Risk and Solvency Assessment. The PRA emphasises that, although classification of crypto-assets for prudential purposes will depend on the precise features of the asset, crypto-assets should not be considered as currency for these purposes. The PRA also notes that discussions are ongoing at both domestic and international levels regarding the appropriate prudential treatment of crypto-assets, and it will update firms on any developments in this respect in due course.

Key Takeaways

While (as the PRA acknowledges) many firms may not yet have any exposures to crypto-assets, many will likely consider such exposures in future, if they have not done so already. Firms should note the regulators’ concerns and seek to put in place the measures advised, if appropriate.

However, firms should also note the implicit acknowledgement from the UK’s financial regulators that they are not prohibiting regulated firms from holding crypto-assets or entering the crypto markets. Rather, firms must be aware of any enhanced idiosyncratic risks relating to these assets, and ensure that they have appropriate systems, controls, and risk management procedures in place to deal with these risks. Therefore, the regulators’ decision to set out some clear expectations and practical measures in a notoriously uncertain area is helpful for firms.

The purpose of this communication is to foster an
open dialogue and not to establish firm policies or
best practices. Needless to say, this is not a substitute
for legal advice or reading the rules and regulations
we have summarized. In any particular case, you should
consult with lawyers at the firm with the most experience
on the topic. Depending on your specific situation,
answers other than those outlined in this blog may be
appropriate. Your use of this blog site alone creates
no attorney client relationship between you and Latham & Watkins LLP.
Do not include confidential information in comments or other
feedback or messages left on the Latham.London Blog, as these
are neither confidential nor secure methods of communicating
with attorneys.

Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Italy, Singapore, and the United Kingdom and as an affiliated partnership conducting the practices in Hong Kong and Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. Latham & Watkins works in cooperation with the Law Office of Salman M. Al-Sudairi in the Kingdom of Saudi Arabia.